24 research outputs found

    Context transfer support for mobility management in all-IP networks.

    Get PDF
    This thesis is a description of the research undertaken in the course of the PhD and evolves around a context transfer protocol which aims to complement and support mobility management in next generation mobile networks. Based on the literature review, it was identified that there is more to mobility management than handover management and the successful change of routing paths. Supportive mechanisms like fast handover, candidate access router discovery and context transfer can significantly contribute towards achieving seamless handover which is especially important in the case of real time services. The work focused on context transfer motivated by the fact that it could offer great benefits to session re-establishment during the handover operation of a mobile user and preliminary testbed observations illustrated the need for achieving this. Context transfer aims to minimize the impact of certain transport, routing, security-related services on the handover performance. When a mobile node (MN) moves to a new subnet it needs to continue such services that have already been established at the previous subnet. Examples of such services include AAA profile, IPsec state, header compression, QoS policy etc. Re-establishing these services at the new subnet will require a considerable amount of time for the protocol exchanges and as a result time- sensitive real-time traffic will suffer during this time. By transferring state to the new domain candidate services will be quickly re-established. This would also contribute to the seamless operation of application streams and could reduce susceptibility to errors. Furthermore, re-initiation to and from the mobile node will be avoided hence wireless bandwidth efficiency will be conserved. In this research an extension to mobility protocols was proposed for supporting state forwarding capabilities. The idea of forwarding states was also explored for remotely reconfiguring middleboxes to avoid any interruption of a mobile users' sessions or services. Finally a context transfer module was proposed to facilitate the integration of such a mechanism in next generation architectures. The proposals were evaluated analytically, via simulations or via testbed implementation depending on the scenario investigated. The results demonstrated that the proposed solutions can minimize the impact of security services like authentication, authorization and firewalls on a mobile user's multimedia sessions and thus improving the overall handover performance

    Firewall Traversal in Mobile IPv6 Networks

    Get PDF
    Middleboxes, wie zum Beispiel Firewalls, sind ein wichtiger Aspekt für eine Großzahl moderner IP-Netzwerke. Heute IP-Netzwerke basieren überwiegend auf IPv4 Technologien, daher sind viele Firewalls und Network Address Translators (NATs) ursprünglich für diese Netzwerke entwickelt worden. Die Entwicklung von IPv6 Netzwerken findet zur Zeit statt. Da Mobile IPv6 ein relativ neuer Standard ist, unterstützen die meisten Firewalls die für IPv6 Netzwerke verfügbar sind, noch kein Mobile IPv6. Sofern Firewalls sich nicht der Details des Mobile IPv6 Protokolls bewusst sind, werden sie entweder Mobile IPv6 Kommunikation blockieren oder diesen sorgfältig handhaben. Dieses stellt einen der Haupthinderunggründe zum erfolgreichen Einsatz von Mobile IPv6 da.Diese Arbeit beschreibt die Probleme und Auswirkungen des Vorhandenseins von Middleboxes in Mobile IPv6 Umgebungen. Dazu wird zuerst erklärt welche Arten von Middleboxes es gibt, was genau eine Middlebox ist und wie eine solche Middlebox arbeiten und zweitens die Probleme identifiziert und die Auswirkungen des Vorhandenseins von Firewalls in Mobile IPv6 Umgebungen erklärt. Anschließend werden einige State-of-the-Art Middlebox Traversal Ansätze untersucht, die als mögliche Lösungen um die Mobile IPv6 Firewall Traversal Probleme zu bewältigen betrachtet werden können. Es wird detailiert erklärt wie diese Lösungen arbeiten und ihre Anwendbarkeit für Mobile IPv6 Firewall Traversal evaluiert.Als Hauptbeitrag bringt diese Arbeit zwei detailierte Lösungsansätze ein, welche das Mobile IPv6 Firewall Traversal Problem bewältigen können. Der erste Lösungsansatz, der NSIS basierte Mobile IPv6 Firewall Traversal, basiert auf dem Next Steps in Signaling (NSIS) Rahmenwerk und dem NAT/Firewall NSIS Signaling Layer Protocol (NAT/FW NSLP). Anschließend wird der zweite Lösungsansatz vorgestellt, der Mobile IPv6 Application Layer Gateway. Diese Arbeit erklärt detailiert, wie diese Lösungsansätze die Probleme und Auswirkungen des Vorhandenseins von Middleboxes in Mobile IPv6 Umgebungen bewältigen. Desweitern stellt diese Arbeit vor, wie die NSIS basierte Mobile IPv6 Firewall Traversal und die Mobile IPv6 Application Layer Gateway Proof-of-Concept Implementierungen, die im Rahmen dieser Arbeit entwicklet wurden, implementiert wurden. Abschließend werden die Proof-of-Concept Implementierungen sowie die beiden Lösungsansätze allgemein evaluiert und analysiert

    Packet filter performance monitor (anti-DDOS algorithm for hybrid topologies)

    Get PDF
    DDoS attacks are increasingly becoming a major problem. According to Arbor Networks, the largest DDoS attack reported by a respondent in 2015 was 500 Gbps. Hacker News stated that the largest DDoS attack as of March 2016 was over 600 Gbps, and the attack targeted the entire BBC website. With this increasing frequency and threat, and the average DDoS attack duration at about 16 hours, we know for certain that DDoS attacks will not be going away anytime soon. Commercial companies are not effectively providing mitigation techniques against these attacks, considering that major corporations face the same challenges. Current security appliances are not strong enough to handle the overwhelming traffic that accompanies current DDoS attacks. There is also a limited research on solutions to mitigate DDoS attacks. Therefore, there is a need for a means of mitigating DDoS attacks in order to minimize downtime. One possible solution is for organizations to implement their own architectures that are meant to mitigate DDoS attacks. In this dissertation, we present and implement an architecture that utilizes an activity monitor to change the states of firewalls based on their performance in a hybrid network. Both firewalls are connected inline. The monitor is mirrored to monitor the firewall states. The monitor reroutes traffic when one of the firewalls become overwhelmed due to a HTTP DDoS flooding attack. The monitor connects to the API of both firewalls. The communication between the rewalls and monitor is encrypted using AES, based on PyCrypto Python implementation. This dissertation is structured in three parts. The first found the weakness of the hardware firewall and determined its threshold based on spike and endurance tests. This was achieved by flooding the hardware firewall with HTTP packets until the firewall became overwhelmed and unresponsive. The second part implements the same test as the first, but targeted towards the virtual firewall. The same parameters, test factors, and determinants were used; however a different load tester was utilized. The final part was the implementation and design of the firewall performance monitor. The main goal of the dissertation is to minimize downtime when network firewalls are overwhelmed as a result of a DDoS attack

    A data-oriented network architecture

    Get PDF
    In the 25 years since becoming commercially available, the Internet has grown into a global communication infrastructure connecting a significant part of mankind and has become an important part of modern society. Its impressive growth has been fostered by innovative applications, many of which were completely unforeseen by the Internet's inventors. While fully acknowledging ingenuity and creativity of application designers, it is equally impressive how little the core architecture of the Internet has evolved during this time. However, the ever evolving applications and growing importance of the Internet have resulted in increasing discordance between the Internet's current use and its original design. In this thesis, we focus on four sources of discomfort caused by this divergence. First, the Internet was developed around host-to-host applications, such as telnet and ftp, but the vast majority of its current usage is service access and data retrieval. Second, while the freedom to connect from any host to any other host was a major factor behind the success of the Internet, it provides little protection for connected hosts today. As a result, distributed denial of service attacks against Internet services have become a common nuisance, and are difficult to resolve within the current architecture. Third, Internet connectivity is becoming nearly ubiquitous and reaches increasingly often mobile devices. Moreover, connectivity is expected to extend its reach to even most extreme places. Hence, applications' view to network has changed radically; it's commonplace that they are offered intermittent connectivity at best and required to be smart enough to use heterogeneous network technologies. Finally, modern networks deploy so-called middleboxes both to improve performance and provide protection. However, when doing so, the middleboxes have to impose themselves between the communication end-points, which is against the design principles of the original Internet and a source of complications both for the management of networks and design of application protocols. In this thesis, we design a clean-slate network architecture that is a better fit with the current use of the Internet. We present a name resolution system based on name-based routing. It matches with the service access and data retrieval oriented usage of the Internet, and takes the network imposed middleboxes properly into account. We then propose modest addressing-related changes to the network layer as a remedy for the denial of service attacks. Finally, we take steps towards a data-oriented communications API that provides better decoupling for applications from the network stack than the original Sockets API does. The improved decoupling both simplifies applications and allows them to be unaffected by evolving network technologies: in this architecture, coping with intermittent connectivity and heterogenous network technologies is a burden of the network stack

    A Tale of Two Layers: Patents, Standardization, and the Internet

    Get PDF

    Non-repudiation Service Implementation Using Host Identity Protocol

    Get PDF
    New types of service usages emerge every day in the Internet. Service usage could be Wireless Local Area Network (WLAN) usage or watching a streamed movie. Many of these services are commercial, so payment is often involved in the service usage, which increases the risk of fraud or other misbehaviour in the interaction. To enhance the secu-rity of both service providers and service users, improvements are needed to the existing procedures. The non-repudiable service usage procedure was developed as part of the TIVIT Future Internet SHOK -project. In this model, the service user and the service provider are bound to the actual service usage with certificates. The charging of the service usage is done using hash chains which are bound to the certificates. Now the service user pays only for the service he or she gets. Time or traffic based charging scheme can be used in the service usage. Evidence is gathered from the service usage to help solve possible conflicts afterwards. An actual implementation based on this model was made using Host Identity Protocol for Linux and RADIUS protocol. RADIUS protocol was used to gather the created evidence of the service usage. The implementation was developed for Linux using C-language. The goal of the implementation was to evaluate the concept in actual use. Performance of the implementation was measured with various real use scenarios to evaluate the feasibility of the implementation. Results indicated that the performance of the model is sufficient to serve several simultaneous users. However, the architecture of Host Identity Protocol for Linux caused some performance issues in the implementation

    Non-repudiation Service Implementation Using Host Identity Protocol

    Get PDF
    New types of service usages emerge every day in the Internet. Service usage could be Wireless Local Area Network (WLAN) usage or watching a streamed movie. Many of these services are commercial, so payment is often involved in the service usage, which increases the risk of fraud or other misbehaviour in the interaction. To enhance the secu-rity of both service providers and service users, improvements are needed to the existing procedures. The non-repudiable service usage procedure was developed as part of the TIVIT Future Internet SHOK -project. In this model, the service user and the service provider are bound to the actual service usage with certificates. The charging of the service usage is done using hash chains which are bound to the certificates. Now the service user pays only for the service he or she gets. Time or traffic based charging scheme can be used in the service usage. Evidence is gathered from the service usage to help solve possible conflicts afterwards. An actual implementation based on this model was made using Host Identity Protocol for Linux and RADIUS protocol. RADIUS protocol was used to gather the created evidence of the service usage. The implementation was developed for Linux using C-language. The goal of the implementation was to evaluate the concept in actual use. Performance of the implementation was measured with various real use scenarios to evaluate the feasibility of the implementation. Results indicated that the performance of the model is sufficient to serve several simultaneous users. However, the architecture of Host Identity Protocol for Linux caused some performance issues in the implementation
    corecore